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(54) System and method for managing user permissions for accessing functionality of multiple 
software appl Ications 



(57) This invention overcomes the disadvantages of 
the prior art by providing a method of assigning user 
access to various functionality of software products. 
The present invention is directed to, in a general aspect, 
a method of managing user permissions for multiple 
software applications. The method provides a single 
administration point for all installed software products or 
applications. Users and user permissions, which are 



product specific rights, can be added, deleted and mod- 
ified through this method. The rights can be assigned 
through the use of a template for categories of users or 
through ad hoc administration. The invention over- 
comes the disadvantages of the prior art by providing a 
system which is flexible and does not waste memory. 
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Description 

[0001] The invention disclosed herein relates generally to accessing functions in a software product and, more par- 
ticularly to a method for managing user permissions for providing access to functions for multiple software products. 

5 [0002] Computer systems such as microprocessor based systems can support multiple software products or appli- 
cations. Particularly, with the use of Windows™ based operating systems, users need to access the functionality of mul- 
tiple software products regularly. The software products could be products used for operating equipment, such as, for 
example, mail sorting equipment. Each software product could have different functionality and have rights to access 
such functionality which could be assigned to users based upon the users' authority. In order to limit access to particular 

10 software functionality, each software product can also provide features which limit access only to designated users. 
Additionally, some software programs provide general access through the use of password protection. Password secu- 
rity is typically provided by use of a user name and password, which is entered by a user upon initiation of use of the 
software 

[0003] Access to software functionality is typically provided through use of fixed access levels assigned to various 

is individuals as user, administrator and service representative. For example, the functionality levels for software products 
for a particular piece of equipment could include administrator level and service representative level with each group 
having access to particular rights. Administrators may need rights to change set-up information and service represent- 
atives may need rights to change set-up information and access diagnostic information. Presently, these rights are 
through the individual software products, and the flexibility is not available to allow assigning ad hoc rights to a user out- 

20 side of the rights that are assigned by a user's access level. For example, typically an administrator has administrative 
rights, but the administrator does not have the right to access a particular diagnostic function of the software. Addition- 
ally, an operator or user of the equipment has rights to run a system but would not be assigned any administrative rights. 
[0004] Alternatively, user permissions could be managed using one large data file with which ad hoc rights could 
be assigned; however, the file would need many duplicate rights for each software application. As each software prod- 

25 uct has its own functionality and purpose, product rights vary from one software product to the next. For example, the 
right to send e-mail would be critical for an electronic mail program but would be irrelevant for a word processor software 
product As such, each product's rights are define by the product's scope of functionality. However, this makes it difficult 
to standardize rights into a single format; the rights for one product do not necessarily correspond to another. To circum- 
vent this problem, rights could be stored as a union of all rights for all products. This would mean that functionality that 

so is relatively common, such as opening a file, printing a report, etc. would be represented, but that specialized rights, 
such as sending an e-mail as shown above, would also be included. The problem with this approach is that the proba- 
bility of using each of the rights for a single software product is small and consequently the data file comprising the 
union of all the rights is larger than necessary and wastes valuable memory space. 

[0005] Another solution would be to place all the rights of all the products into a single record in the database. This 
35 would have the advantage of making access to information easy since the information is in one data file. However, much 
of the information would be duplicated such as, for example, the commands "Open File for Product A" then "Open File 
for Product B\ In addition, if any of the products were modified with respect to the information in the data file, the entire 
record would have to change, possibly disrupting the operation of the other products. 

[0006] For each software product, a user typically has a user name and a password which he or she must remem- 
40 ber. The configuration of each user name and password can be different in each application, for example, the number 
of characters, types of characters and consecutiveness of the characters may be mandated by an individual software 
application's security configuration. Thus, the user's choice of password for one product may not be compatible with the 
configuration for another product, and he or she may need to choose a different user name and password from one 
application to the next. Thus, one user could have many different user names and passwords. Wrth so many applica- 
45 tions and passwords for a user to keep track of, it is common that a user can forget a password and thus be unable to 
access a software application. Some users may write the user name and password on paper and store the paper in a 
particular place. However, this provides potential for breach of security since the written user name and password could 
be found by a third party who could then access the application and breach security. 

[0007] Thus, one of the problems of the prior art is that assigning various functionality of software products to var- 
so ious users is cumbersome and wastes memory. Another problem of the prior art is that user access levels are rigid and 
cannot be assigned on an ad hoc basis. Still another problem of the prior art is that users need to manage multiple 
passwords and user names. Yet another problem of the prior art is that administering rights for multiple products is cum- 
bersome. 

[0008] This invention overcomes the disadvantages of the prior art by providing method of managing user permis- 
55 sions or rights to access functionality for multiple software applications. The foregoing is accomplished by providing a 
series of tables containing access rights information associated with the users and the products/software applications. 
The user manager provides one access point to all user rights such that the user would only need one set of user spe- 
cific information such as user name and password in order to access multiple software products. Thus the present 
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invention is directed, in a general aspect, to a method of managing user permissions for access to multiple software 
applications. The method provides a single administration point for all installed software products or applications. Users 
and user permissions, which are product specific rights, can be added, deleted and modified through this method. The 
rights can be assigned through the use of a template for categories of users or through ad hoc administration. 

s [0009] Thus, an advantage of the method of the present invention is that it provides a easier administration of user 
rights Another advantage of the present invention is that there would be flexibility in the assignment of user rights. 
Another advantage of the method of the present invention is a user would need only one set of user unique information 
in order to access multiple software applications. Another advantage of the present invention is that a user would be 
less likely to compromise security by writing unique password information on paper. Other advantages of the invention 

w will in part be obvious and will in part be apparent from the specification. The aforementioned advantages are illustrative 
of the advantages of the various embodiments of the present invention. 

Fig. 1 is a block diagram of an embodiment of a computer system upon which multiple software products may 
reside. 

is Fig 2 is a flow chart of an embodiment of the method of the present invention. 

Fig. 3 is a block diagram of an embodiment of the present invention the relationship of tabular information config- 
ured to enable a method of the present invention. 

[0010] In describing the preferred embodiment of the present invention, reference will be made herein to Figs. 1 -3 
20 of the drawings in which like numerals refer to like features of the invention. Features of the invention are not necessarily 
shown to scale in the drawings. 



HARDWARE OVERVIEW 



25 



30 



[001 1] FIG 1 is a block diagram that illustrates a computer system 1 00 upon which an embodiment of the invention 
may be implemented. Computer system 100 may be a personal computer, a term which is used generically and refers 
to present and future microprocessor systems with at least one processor operatively coupled to user interface means, 
such as a display 102 and keyboard 104, and/or a cursor control, such as a mouse or a trackball 106, and storage 
media 108 The personal computer 100 may be a workstation that is accessible by more than one user. The personal 
computer also includes a conventional processor 110, such as the Pentium® II processor manufactured by Intel Cor- 
poration of Santa Clara, California, conventional hard drive 108 floppy drive(s) 112, and memory 114. The present 
invention is related to the use of computer system 1 00 for controlling the access to software applications located in com- 
puter 1 00 and media 1 08. Access to the software functionality is limited by the user manager of the present invention. 



35 USER MANAGER 



[0012] One embodiment of the present invention is directed to a user manager or method of managing user per- 
missions for access to multiple software products or applications. The following definitions may be used in understand- 
ing the invention. A "user* can be an operator of any or all of the software products installed on the computer system 
40 100 An "administrator" is a user of the method for managing user permissions of the present invention. A "product" can 
be a software program, system, or application for which a user may be granted access by a method of the present 
invention. "Permissions" can be product specific rights that may be assigned to a user; each product may have one or 
more permissions and some products may have no permissions.. 

Fig 2 is a flow chart of an embodiment of the method of the present invention illustrating the steps of inputting user 
45 information and obtaining permissive use of software through the use of the user manager. At step 50, the method 
begins At step 52 a user enters user specific information such as, for example, a user name and password. At step 54, 
the user manager receives the user specific information. At step 56, the user manager makes a query as to whether 
the user is valid. If the user is not valid, the method ends at step 58. If the user is valid, the method continues to step 
60 and the user requests privileges for a specific product. Privileges can include the right to access a product as well 
so as the right to use a particular functionality of a product. At step 62, a query is made as to whether the product is valid. 
If the product is not valid, the method ends at step 58 or, alternatively, the user could input another product. If the prod- 
uct is valid, a query is made as to whether a record exists for this user/product combination. If the user/product combi- 
nation does not exist, the method ends at step 58. If the user/product combination exists, the method continues to step 
66 and the user manager returns products rights, and at step 68 the user is allowed access to the system to perform 
55 privileges assigned to the user. 

[0013] Tables A-F illustrate an embodiment of a database schema that can be used to perform a method of the 
present invention. The format of tables link users to user rights and product rights. One of ordinary skill in the art could 
format the Schema Tables A-F using a database program such as Access® by Microsoft of Redmond, WA, and the tab- 



3 



EP1 091 274 A2 



10 



15 



a ull7S°l JT "? ^ d3tabaSe in binary f ° rm - Tabte A i,,ustrates user '"fo^tion such as for example 
for^l^f 3 Jt *? deSCr,Pti0n ° f the USer " S fU " name - Tab,e B illustrates «~ purity inlormaton such as 
mLSch ~ fo T ^ ^ PaSSWOfd and 1,16 user ' s ^inistrator. Tabte C Zstrates p oduSTnS 

ro^ a2 ITf 7 ™ entifiCati ° n nUmber> Pr ° dUCt name ' and PradUCt Versi ° n and --onfnumc^s. 

[0014] Additional tables Illustrate user and product rights as follows. Table D illustrates Product Rtah* «,h^h «.» 

o the database bemg used), atemplate identification which links the user to a specific usertemplate such L for «v»m 



Database Schema Tables 



20 [0015] 



Table A 



25 


Users 




Purpose: 


Contains basic user information 




Columns: 


User ID - the ID by which the user is known 


30 




Full Name - A text description of the user for reference 



Table B 



35 


User Security 




Purpose: 


Contains security information 




Columns: 


User ID - the ID by which the user is known 


40 




Password - the user's password 



Table C 







Products 




Purpose: 


Contains information on the Products stored in the system 


50 


Columns: 


Product ID - a number assigned by the system to uniquely identify the Product 
Product Name - the name of the Product Version - the version of the product 
Version - the version of the product 
Revision - the product's current revision 


55 




(example: product may be version 1 .2- version is 1 and revision is 2) 
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10 



Table D 
Product Rights 



Purpose: 
Columns: 



Contains information about a product's specific rights 
Product ID - the ID of the product, relates to Products table 
Bit ID - The individual bit that is being set 
Right Text - a text description of the specific right 



15 



20 



25 



Purpose: 
Columns: 



Table E 



User Rights 



Contains the actual rights information 

User ID - the ID by which the user is known 

Product ID - the ID of the product, relates to Products table 

User Rights - data containing user tights 

User Rights - data containing additional user rights 

Template ID - references a template if one has been assigned to a 

user (see Rights Template below) 



30 



Table F 



40 



45 



Rights Template 



Purpose: 
Columns: 



Contains Information pertaining to a Product's templates 

Template ID - a number identifying the template 

Product ID - the ID of the product, relates to Products table 

Template Name - a text description of the template 

Rights - data containing product rights 

Rights - data containing additional product rights 



50 



55 



[0016] Fig. 3 is a block diagram illustrating the relationship of tabular information configured to enable a method of 
the present invention. As illustrated in Fig. 3, each of Database Schema Tables A-F is linked to each other. The numer- 
als next to each block of the block diagram represent the database relationship. For example the database relationship 
between the User Table A and the User Security Table B is one to one; and the relationship between the User Table A 
and the User Rights Table E is one to many. The following explains the table linkage illustrated in Fig. 3: the User Table 
A is linked to the User Security Table B and the User Rights Table E; the User Rights Table E is linked to the Products 
Table C and the User Table A; the Products Table C is linked to the User Rights Table E, the Rights Template Table F 
and to the Product Rights Table D; and the Product Rights Table D is linked to the Products Table C. 
[0017] The following is an example of an embodiment of the present invention demonstrating the interrelationship 
of Tables A-F. A user logs on using the user manager of the present invention by entering user specific information such 
as, for example, a user name, user identification and password. The user manager verifies the user name by checking 
the Users Table A, and the user identification and password by checking the User Security Table B. The user manager 
then looks at the User Rights Table E corresponding to the user identification. The user manager obtains a list of prod- 
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"™ the ££S2£££ST f ct T JT °- The user manager 030 obtain individua ' ri 9 hts to that 

DteTe^rl^ : » S 9 k, Ca " 96t 3 P redef,ned list of tef "P'ates from the Rights Template Table F. This exam- 

S^Srr?- IT ? S6qUenCe ° f the functionalit y of th ® ««• manaper. The method could be performed usinq a 
SSltw A 7r a K 2 re i ati0na ' Pr ° 9ram "** 38 MicrOSOft ® Access by P MbrTsoft cZ 

coi to onf oTmL ? i 66 US6d bV °" e ° f ° rdinary Ski " in the art and 9 eneral, y ^tows developers to bind 
code to one of many executable routines at run time rather than at link time, creating an environment in which manv 
app^tons can use the same code base to enable the efficient and effective manipuLon of complex ^ 

* J h ®T rTOraperaNWSasin9te ^ Users can 

be added, deleted or modified through the schema in the database. The single integration point ITS^the ne^d for 
murbple log.ns which could require multiple user names and muitiple passwords. Thus, xZ uLTm^rtxr^Z 
USE? ° f ' nformati ° n *" 3 USer needS to remember in * use a software product. M^ZXte uZ 
aThXa^to int^l 6 1" T ^ * redUC6S ^ ChanCS that a user wil ' wtte *>™ ^ user name and pa^word fo 
CulrT ' USe - ThUS ' ^ PfeSent lnVenti ° n Pr ° VideS 8 m ° re simp,rfied and ■«« ^thod of manag- 

E , J^"? the pre f ent invention has bee " disclosed and described with reference to a single embodiment 

Hrien^^^i Z2? ^ "* modificattons ™* be herein. It if aiso no2 Ttha 

«r£STIlr^5 ?• u managing software users. Thus, it is intended in the following claims to cover each 

var.at.on and modrf.cat.on that falls within the true spirit and scope of the present invention. 



Claims 

1. 



A data processing system for determining access rights to a set of one or more features of two or more software 
applications by a user of the system; the system comprising: 

(a) user identification means for identifying the user of the system; 

(b) authentication means for determining whether the identified user is authentic- 

Sj^^ZT ^ ** "* °~ " ° f ^ * ^ ""*-««» 

STJ l!f ^ for K identlf y in 9 a 861 <* ^ «'^e to the authenticated user and wherein the set of 
Sfens authenticated users access to the each one of the set of two or more software £,* 

(e) a second user rights table relative to the authenticated user's access to the each one of the two or more 
software applications wherein the second user rights table is indicative of the authenticated use^esTS 
me set of one or more features within the each one of the set of two or more software applications- aS 

(f) access means for allowing the authenticated user to access the set of one or more SSiSs 

2 ' n^Snfl'T" 9 * 38 C ' aimed C ' aim 1 fUrth6r "WW* a user rights template table for identifying a 

fixed set of features from the set of one or more features of the set of two or more software applications. 

3 " is^Ksrisr m 38 daimed in c,aim 1 wherein *• user identmcation TOans far ***** *• 

4 " Jl^S processin 9 s y stem as claimed in claim 1 wherein the authentication means for determining whether the 
.dentmed user is authentic, authenticates the user by verifying the user's identification and password 

The data processing system as claimed in claim 1 wherein the software identification table comprises a software 
^Snurnt^ h S °^r^ licati ° n "ame, software app^on version number and sXSre 
rev BK> n number for each one of the set of two or more software applications accessed by the system. 

The data processing system as claimed in claim 1 wherein the first user rights table for identifyino a set of rtahte 

etTon^TL a r ntiCated US Z S Wherei " ^ S6t ° f ri9htS iS indiCatiVe - authentic^ SX acSst X 
ucnde^ltf ° f m ° re SOftWare app,ications accessed ^ the system comprises a user identification a prod 
uct identrf.cat.on, one or more sets of user access rights. ' p 

^ to^S" 9 ^? 38 daimed in C ' aim 1 Wherein me flrst user ri 9 hts teb,e for identifying a set of rights 
t*TZ? authenticated users and wherein the set of rights is indicative of the authenticated user7acce7s to 

~ *"° ° r m ° re S ° ftWare applications accessed by the system further composes a Sate 
.dent.flcat.on .dentrfy.ng a fixed set of access rights for the set of two or more software applications P 



5. 



6. 
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8. The data processing system as claimed in claim 1 wherein the second user rights table relative to the authenticated 
user's access to the each one of the set of two or more software applications wherein the second user rights table 
is indicative of the authenticated user's access to a set of one or more features within the each one of the set of two 
or more software applications comprises: a software application identification and a text description of the access 

5 right assigned by the second user rights table. 

9. The data processing system as claimed in claim 1 wherein the access means for allowing the authenticated user 
to access the set of one or more features comprise a computer system. 

10 1 0. A method of processing data for determining access rights to a set of one or more features of two or more software 
applications by a user of the system; the method comprising the steps of: 

(a) identifying the user of the system; 

(b) authenticating whether the identified user is authentic; 

r 5 (c) accessing the data processing system using an access means for allowing the authenticated user to access 

the set of one or more features; 

(d) processing a software identification table for identifying each one of the set of two or more software appli- 
cations accessed by the system; 

(e) processing a first user rights table for identifying a set of rights relative to the authenticated user and 
20 wherein the set of rights is indicative of the authenticated user's access to the each one of the two or more soft- 
ware applications; and 

(f) processing a second user rights table relative to the authenticated user's access to the each one of the set 
of two or more software applications wherein the second user rights table is indicative of the authenticated 
user's access to the set of one or more features within the each one of the set of two or more software appli- 

25 cations. 

1 1 . The method of processing data as claimed in claim 1 0 further comprising the step of processing a user rights tem- 
plate table identifying a fixed set of features from the set of one or more features of the set of two or more software 
applications. 

30 
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FIG. 1 
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FIG. 2 
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